Analysis Overview
SHA256
4fd809053fbafcdc58dac303d4eae9de1452008afa12b99d75f63fbde093b660
Threat Level: Shows suspicious behavior
The file 4fd809053fbafcdc58dac303d4eae9de1452008afa12b99d75f63fbde093b660N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 05:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 05:02
Reported
2024-10-26 05:04
Platform
win7-20241010-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\4fd809053fbafcdc58dac303d4eae9de1452008afa12b99d75f63fbde093b660N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\AdobeDV\devbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4fd809053fbafcdc58dac303d4eae9de1452008afa12b99d75f63fbde093b660N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4fd809053fbafcdc58dac303d4eae9de1452008afa12b99d75f63fbde093b660N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintVS\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\4fd809053fbafcdc58dac303d4eae9de1452008afa12b99d75f63fbde093b660N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeDV\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\4fd809053fbafcdc58dac303d4eae9de1452008afa12b99d75f63fbde093b660N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeDV\devbodsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4fd809053fbafcdc58dac303d4eae9de1452008afa12b99d75f63fbde093b660N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4fd809053fbafcdc58dac303d4eae9de1452008afa12b99d75f63fbde093b660N.exe
"C:\Users\Admin\AppData\Local\Temp\4fd809053fbafcdc58dac303d4eae9de1452008afa12b99d75f63fbde093b660N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\AdobeDV\devbodsys.exe
C:\AdobeDV\devbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | f8d966430115ee082d5a2ce69248df83 |
| SHA1 | 760fcc1cef5c1213e250fbf391d0405c0bb8beb2 |
| SHA256 | cf0dbbe718a5920d9c88943b5db69b848dc2311fc921dd3dda41f3aa61013f49 |
| SHA512 | efa970aa52df17e7083f977dd90c64b34d3d4da813219d980d1deb4f7be7f518164e68b922540755a9cd484d1a166ed452298ccd95b3dd76f696315b678cf44f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 025154d0b97f0d2c5d9da58feaae4834 |
| SHA1 | 7838b993a5ce850ca5b0defb8df3a68dfb3e4a8b |
| SHA256 | 88c972f32e3cadf507e0f3de68b73f977354c01e9a97e58bf41a17710aa982bb |
| SHA512 | 75494b52e1299a45c738139a47800ff609a8a2ad2c08745149abea0d2882ada4854bc0b35c1f49a152bb5da13bb2d01f2a251a3e0b841e40c2881904d8fc80f3 |
C:\AdobeDV\devbodsys.exe
| MD5 | 8eeb342b56fc54053c7f96cf9f8a00c3 |
| SHA1 | 275413425a6755bb1d82addeeb51d17fbc103814 |
| SHA256 | 77c7900240bddd225ab8eff653cf66b9e68f8502e55f37f453e349fedac6bf3c |
| SHA512 | 9f3bdfd4946768a61247d6abba791248510de5cc01ff705f64af31527d505b91664c6b829106ed150c1d026837098466f9c193e575658780216b3e9ffbde25c9 |
C:\MintVS\optialoc.exe
| MD5 | 233908e23689325f7116a9af529e7695 |
| SHA1 | ad7ccec315fafb4ed9dbb3df7a1dd1844ad75e20 |
| SHA256 | d77fe3f3a13fb64c03e5ca4d65f2e49953798112d81c5d70069281235ab0dbae |
| SHA512 | 168e8489126027046bbf28b7f33c41bc28659e1070159b5a027cb95113279cf35734756306441569cc90faa19c3aaca44cd62d30dc733e8806ff16fd6bc3c275 |
C:\MintVS\optialoc.exe
| MD5 | ea9d68223b345438ddba6858827e0b04 |
| SHA1 | 747b8e3b99d8b8170d8995a5a333f9f8317273b1 |
| SHA256 | 7d54dfa9b35a545ddec754c615a5187bf6f318785a141f9d5b658dfe8ced9c33 |
| SHA512 | 825168d4c0aae0dfdde3498db0b31c944fd6e96f479e5b125eef58221e53d886bd98ea0c695ea496c1122c2f099c83a8be4b9129ad366673a2d484747f390157 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bf1a4bd25b6699c230423a358c721a8a |
| SHA1 | bd5da4bd88cc06a05eb2c2086ccc67d431a4cd3f |
| SHA256 | 82a65a54ee1179bd89cf49218c4b2bf43b29adbf53bf2e3d8312c5d33e378125 |
| SHA512 | 33f17e7ed5f8228c1edfd3c750bd73ce6d7242fb5e3be8f4ac83aaf82476e97fb4fe1704d3707d61deb8cb143deacc96b41042fa5f7d71e680a61aee0d45626b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 05:02
Reported
2024-10-26 05:04
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
102s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\4fd809053fbafcdc58dac303d4eae9de1452008afa12b99d75f63fbde093b660N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\IntelprocVN\xdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocVN\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\4fd809053fbafcdc58dac303d4eae9de1452008afa12b99d75f63fbde093b660N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZF6\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\4fd809053fbafcdc58dac303d4eae9de1452008afa12b99d75f63fbde093b660N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4fd809053fbafcdc58dac303d4eae9de1452008afa12b99d75f63fbde093b660N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocVN\xdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4fd809053fbafcdc58dac303d4eae9de1452008afa12b99d75f63fbde093b660N.exe
"C:\Users\Admin\AppData\Local\Temp\4fd809053fbafcdc58dac303d4eae9de1452008afa12b99d75f63fbde093b660N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\IntelprocVN\xdobloc.exe
C:\IntelprocVN\xdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | 0f4f39f57c0e616fd2233a4b5098a553 |
| SHA1 | 0acbc5bba879b518b92859a9b76be19fbac6697b |
| SHA256 | 252501abb19c96a6ec8ac7793487347b054223a36cbc734c1520500af256d3e7 |
| SHA512 | 73e29fbf23f26efd120bdb28a096e143535eaed49a560a73cf214c872a7138e8ed958c5983366990e02f012530ef3b02db1ce6764bf7b37995dfde5843021767 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 118889ab0115c5a625138eacdd805b0e |
| SHA1 | 1aba218b39ddf50c5ba6e6b5aea518d66cfeecae |
| SHA256 | 33ee7b1324dd8505328d462530fabe9548565779f742e8ea2d47b0f048a3ce39 |
| SHA512 | b9d41c146064ced031ba0623323ca18eb9d1d17ec5eaa50c53d210afd769bdbe6c562da952a504a55c2bc8d7e397226c62222c12ea903ff4eabbbdee5d1cedb4 |
C:\IntelprocVN\xdobloc.exe
| MD5 | 3d70b55fd9284f0152d1d449c70fd49c |
| SHA1 | 59339e385e05f3ab6740c884327ca7b632a47008 |
| SHA256 | 8c3a35c6d34926505d6048a6ef7e0b50989f482fb66fb9e988cd2fca1d8a0b09 |
| SHA512 | 4ffbd40efc4324f61e5975431a33dcc24f9e677e8a958a2b5e8fcdc4442e85a35597f7a993af6daebe5e321041eb68fc1a6a6c6703fd7575ecac9f96efec42dc |
C:\IntelprocVN\xdobloc.exe
| MD5 | 02d98fc2ae99c065c37338b1203c417f |
| SHA1 | fec6a01cfe2105b6564572cd8c76a0ac2f0e8cd7 |
| SHA256 | ef8d171b18ac4f4e94a6786142a0ac3be3458f54439a5e82726c8a1bf74e824c |
| SHA512 | 6d628e3ec90a01e010a3f01137ce78b593700651a9124c822bbd44a4baaa52973bbc52ee06283e181fc11646d1a7bcc43b930913237381686032d0e79cf695ea |
C:\LabZF6\dobxloc.exe
| MD5 | fb9a7825d833768c003caf2426ec9f98 |
| SHA1 | 21131bee14974958e4335e0ec19084c20858d325 |
| SHA256 | c948dbe29d32c5aceeb724169fd4d0a11cce3c606b0656348548809e299d1770 |
| SHA512 | d208b23197a48e737f7ad3dbe1ad2154abf6c86839b4131067404b729a2592d83d25838f0be2006464c9c98ef6c1bf857e6e757e0845f967601f2be32def6e16 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 765ca12261d8e91e016f879dc5a16465 |
| SHA1 | 496870b1c25421a1be8a13a7e1573929297ca450 |
| SHA256 | cbda76db6165626e45c0433e31da36193cf21ccfcb05132f5365f30bb4709b54 |
| SHA512 | 11aa8ad4245497c1aa559a8f542fefcb80e775c0607b65ad9182a2bd059ddb2227ede09481aaa125daee11d40861b73d81f9f265c14e3888b6a12a44efb75bd8 |
C:\LabZF6\dobxloc.exe
| MD5 | d3b7f0016f543d4ccec311ceedd3b8eb |
| SHA1 | 1aaf386e299c279740a49414729411b6cf0ce3da |
| SHA256 | 3614325a65a8db16d113836bc9d3df82cd8560a3668ca5795a3fc57e240f510a |
| SHA512 | 3f6aa78e09f022d98720840785894b68ff7ba3b50d921cd296aa30a29e2e8bd165b9e101802d1e836352e80b5a83c5c53e6a556f9836c077cc50b78622d7c916 |